The CyberWire Daily Podcast 5.6.21
Ep 1327 | 5.6.21

Some possible insight into what a Chinese cyberespionage unit is up to. Hackathons, from Beijing to Washington. Panda Stealer is after crypto wallets. And Peloton deals with a leaky API.

Transcript

Dave Bittner: Some possible insight into what a Chinese cyber-espionage unit is up to. Hackathons from Beijing to Washington. Panda Stealer is dealers after crypto wallets. Microsoft's Kevin Magee reflects on lessons learned in the last year. Our own Rick Howard speaks with Todd Neilson from World Wide Technology on zero trust. And Peloton deals with a leaky API.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 6, 2021. 

Dave Bittner: Last month, Japanese authorities attributed a long-running cyber-espionage campaign to People's Liberation Army Unit 61419. As The Japan Times and other outlets reported at the time, Japanese security services concluded that the Tick APT, which had been conducting cyber-espionage against about 200 organizations, prominently including the Japan Aerospace Exploration Agency, was being run by China's People's Liberation Army. Kyodo News characterized the unit as a counterintelligence outfit, although it actually appears to be a SIGINT unit, and said that a Chinese engineer and Communist Party member had been referred for prosecution. 

Dave Bittner: PLA Unit 61419 is again in the news, this time with some possible insight into its internal operations. Recorded Future's Insikt Group has found procurement documents indicating that the PLA unit has sought to purchase foreign antivirus programs. The Insikt Group thinks it likely that the intention is to use them for exploitation, either to use them as test environments for PLA-developed attack tools or to identify vulnerabilities that could be exploited for initial intrusion in zero-day attacks. 

Dave Bittner: The specific tools PLA Unit 61419 sought subscriptions to include some well-known names, including products from Kaspersky, Avira, McAfee, Dr.Web, Norton and others. Using these antivirus tools for test and development strikes the Insikt Group as a likely harbinger of supply chain attacks. Their report says in its conclusion, quote, "Given the pattern of Chinese state-sponsored exploitation of the global software supply chain described above, as well as China's exclusion of foreign antivirus software as an option for government organizations, the brands and products indicated should be monitored for future exploitation. Focus should be placed on adversarial simulations, penetration testing, patching known vulnerabilities and monitoring for anomalous traffic related to these antivirus products," end quote. 

Dave Bittner: Coincidentally or not, shortly after publishing its article on Chinese purchases of antivirus technology, Recorded Future's the Record came under a distributed denial-of-service attack. There are indeed coincidences sometimes because stuff does happen. But some coincidences do seem suspicious and worth a second look. 

Dave Bittner: We note that over the weekend, a Belgian ISP that serves much of that country's public sector also came under a distributed denial-of-service attack. The ISP, Belnet, has since restored service. But as Computing reported, the attack caused the cancellation of a hearing before Belgium's parliamentary foreign affairs committee that would have heard testimony on human rights in China's Xinjiang Uyghur Autonomous Region. As one Belgian MP remarked, attribution would be premature, but it would be naive to ignore the context of the attack. 

Dave Bittner: Other news about Chinese cyber operations suggests a motivation for Beijing's interest in promoting autarkic hacking competitions and discouraging participation in international tournaments. 

Dave Bittner: MIT Technology Review reports that U.S. intelligence services have concluded that an iPhone exploit nicknamed Chaos, disclosed by a researcher from Qihoo 360 during the inaugural Tianfu Cup hacking competition in 2018, was subsequently used by Chinese security services for surveillance of China's Uyghurs. The Tianfu Cup was established as a domestic Chinese alternative to such international hacking competitions as Pwn2Own. 

Dave Bittner: Trend Micro this week has described Panda Stealer, an information stealer spread by phishing, that targets digital currency wallets. Panda Stealer has been most active against targets in the United States, Australia, Japan, and Germany. It's apparently a financially motivated criminal operation interested in rifling wallets for alt coin. 

Dave Bittner: Exercise equipment manufacturer Peloton is dealing with reports of a leaky API that could expose personal data of users, TechCrunch reports. Pen Test Partners, which disclosed the issue to Peloton in January, says the API permitted unauthenticated requests for user account data. The API permitted access to a Peloton user's age, gender, city, weight and workout statistics. If it happened to be the user's birthday, interested, unauthorized third parties could also obtain details that are hidden when users' profile pages are set to private. 

Dave Bittner: Peloton has drawn some high-profile users, U.S. President Biden among them. The company says there's no evidence the flaw has been exploited in the wild, but TechCrunch thinks they've been dilatory in addressing it and evasive in their discussions of the issue. Peloton explained that they did act to correct the issues Pen Test Partners disclosed to them but that they didn't do a good job of closing the loop on the disclosure. Quote, "We took action and addressed the issues based on Pen Test Partner's initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues," end quote. 

Dave Bittner: The U.S. Department of Defense has opened all of its publicly accessible websites and applications to its Vulnerability Disclosure Program. Part of that program is the Hack the Pentagon invitation to outsiders to take a whack at finding vulnerabilities in the defense department's networks. And as CyberScoop points out, more of the Pentagon's infrastructure will henceforth be whackable. 

Dave Bittner: The CyberWire's own CSO Rick Howard has been checking in with experts on a variety of topics. This week, it's cyberthreat intelligence. Here's Rick. 

Rick Howard: I got the chance to talk to Todd Neilson, who at the time was the lead for global security efforts at World Wide Technology. But between the time that I did the interview and now, Todd has taken a new CISO gig and has yet to disclose who his new employer is. But we discussed how the old defense in depth strategy that I used back in the 1990s - you know, deploying firewalls, intrusion detection systems and antivirus systems into an overlapping grid - has kind of morphed into a subcomponent of a much larger zero-trust strategy. Now, Todd is an acronym man, and he refers to defense in depth as DiD and zero-trust architecture as ZTA. So listen carefully for that. 

Todd Neilson: I think that zero trust is an architecture. It's a model. It's not a product. It's the new version of DiD simply because it has multiple pillars. So zero trust includes the user. It includes the endpoint. It includes SASE networks. It includes your router switch's network controls. It includes cloud. And by definition, you have to lock everything down to provide a zero-trust environment. And that takes multiple layers to do that and multiple components, multiple tools. But I also think, gosh, that DiD may be good for Joe's Chicken Shack with five users, but it may not be good for a global top five bank. 

Rick Howard: Joe's Chicken Shack - I love that phrase, and I'm totally going to steal it for whenever I talk about small, medium and large organizations from now on. Joe's Chicken Shack is my new small organization. But in my head, I don't hear Joe's Chicken Shack. I hear the love shack, baby. 

(SOUNDBITE OF SONG, "LOVE SHACK") 

The B-52's: You're a what? Tin roof. Rusted. 

Rick Howard: But Todd is right. Zero trust is hard to do and may be a bridge too far when it comes to the Joe Chicken Shacks out there. 

Todd Neilson: I think a zero-trust ongoing programmatic approach today is reserved for those larger enterprises that have the resources, time and money to do it. If you just have a Shopify cart hosted on Shopify and you're selling widgets on online and you're a small company, zero trust might not be good for that environment. But if you're an enterprise and you have keys to the kingdom, if you want to protect the formula for Coke, maybe you want a complete lockdown, zero-trust strategy around your crown jewels, but yet not a zero trust on open marketing information that you give out to all your clients. Maybe they use DiD for something simple but then they go back to the ZTA for something complex. There's never one right answer for every company. 

Rick Howard: Todd believes that it all comes down to forecasting risk and having that honest conversation with the board about their risk appetite. 

Todd Neilson: Once you have your risk exercise, your risk appetite decided and you have identified your assets, now you can apply the zero-trust strategies to those higher risk areas that may need that investment today. Mapping risk to business goals first and then your ability to execute is the tertiary. 

Rick Howard: One thing is certain, zero trust is not a destination. It's a journey, a journey that you will most likely never get to the end of. There are a gazillion different things you can do to improve your zero-trust landscape. But the idea that an organization will reach some sort of nirvana, zero trust end state, where you can stop what you're doing, look around twice and say, yep, I made it to zero trust, that's not realistic. It's more like a mirage on the horizon, hovering just out of your reach as you inch closer and closer to it, or as one of Todd's Fortune 10 customers like to call it, it's a unicorn. 

Todd Neilson: It doesn't exist. That's how he feels about it, at least today, in terms of getting to the end of zero trust. To your point, it's a journey. I like to say it's programmatic. You can't say, we're going to do a zero-trust project, and we're going to check it off and check these boxes. And when we get there, we have zero trust. It doesn't work that way either. And so I think it's very much programmatic. The best way to adopt a zero trust is to eat it one bite at a time. 

Rick Howard: There is no question that zero trust should be one of your atomic strategies that you will use to decrease the probability of material impact to your organization due to a cyberattack. Over on the CyberWire Pro side, I did an entire season on my "CSO Perspectives" podcast about the first principle strategies that we all should be deploying, and zero trust feature prominently. But as Todd said, if your organization is the size of Joe's Chicken Shack, maybe you should focus on some basic resiliency before diving headfirst into the deep waters of zero trust. 

Dave Bittner: That's our own CSO Rick Howard. 

Dave Bittner: And I am pleased to be joined once again by Kevin Magee. He is the chief security and compliance officer at Microsoft Canada. Kevin, great to have you back. You know, we are just about at the one-year mark here with the pandemic, and I think most people would agree that it's been quite a year. I want to touch base with you and sort of check in with - as you've been working with your team and you look back at this past year, any lessons that you all have taken away so far? 

Kevin Magee: Yeah, thanks for having me back again, Dave. We often don't really look at the sort of the people aspect or the layer aid (ph) aspect of security teams. And managing a security team is always a difficult challenge, but managing a security team through a pandemic has been extremely difficult. And like you said, one year in, we're really starting to see exhaustion set in. People are feeling overwhelmed, and they're feeling like, often, that we're losing this war against attackers. 

Kevin Magee: So how do we think about leadership? How do we think about managing people? And how do we really encourage and support them through the pandemic? Because we're not going to return to a normal. We're in a new normal state. So there's lots of lessons learned that we've had over the past year. I had a chance to sit down with my team and really have a deep dive on what's working, what's not and was really surprised with some of the things that we learned. 

Dave Bittner: Well, take us through some of the insights there. What did they have to share? 

Kevin Magee: Yeah, from my perspective, much of what I've learned as a manager over the years has been how to support and coach people in in-person experiences. And I'm having to relearn and reimagine leadership for a video world. And I felt really sort of bad about maybe I'm not, you know, showing up in a great way. But my - you know, my team was really - to, you know, to share hey, no, we're all trying to figure this out together. 

Kevin Magee: Interviewing, hiring, onboarding, managing supporting employees you've never met before can be extremely challenging for a manager, as well. But it also opens up a whole set of new opportunities about thinking about location doesn't really matter. We can look for the best talent, regardless of where it is. That's allowing us to add much more diversity to our candidate pool as well and bring in new skill sets. It's also allowing people to sort of live the lifestyle that they want to maybe in a remote location or not close to a major city. So there are some subtle changes that are making the work-life balance better, not just worse as well. 

Dave Bittner: What were your team telling you about dealing with the ongoing stress with - you know, just the burden that we're all living in this world, the weight of existing, trying to do your best, doing your job while you still have the reality that this pandemic goes on? 

Kevin Magee: One of the big challenges that came up was just recognition. And no one really wants a pat on the back or a shout-out. But a lot of the work we do, if we do it well - and the most important work, we can't talk about. So you can't get a gold star. You can't get an award for - often in cybersecurity. So how do we create opportunities to recognize employees? And then how do we create, you know, different experiences where we can sort of relieve stress and work together as a team? 

Kevin Magee: So our team came up with the idea of we would take on mentoring some startups and mentoring some students. And we would work with students that are graduating to coach them and help them break into the cybersecurity industry. And that one-on-one time with a student really gave them a sense of purpose, increased the morale, made them feel like they were making a difference and gave them another person-to-person connection. But it was also something that we could recognize them for and reward them for, so it was very fulfilling. So finding some side projects or finding some other ways to give back as a team to the industry or whatnot is a great way to overcome some of these challenges and feel like you're making a difference. 

Dave Bittner: What about for managers? I mean, do you have any advice for them? 

Kevin Magee: I think, often, we say do what we say, not what we do. And I think the main thing - and this is - my manager actually told me, you know, make sure there's something left in the tank for you at the end of the week. Because a lot of times, I felt really incumbent on myself to be there for my team, to be super supportive and whatnot. And then, you know, this has been a marathon. Making sure that you're taking time for yourself is not only good for you for self-care, but also, it's modeling the proper behavior for your team. 

Kevin Magee: If you're working weekends and you're working nights when you shouldn't be, then they're going to feel compelled to that they have to do that as well, too. So they're looking to us to see what we do, to see what's acceptable, to see what's normal in this time. And our actions speak just as loud of our words. So as leaders in the industry, we need to make sure that we're setting the proper tone from the top as well. 

Dave Bittner: What do you think is on the other side of this? What kind of changes do you think are going to stick when - once the pandemic is in the rearview mirror? 

Kevin Magee: Well, I'm hoping it's a lot of the good that we take with it, which is, you know, we don't always have to get on an airplane to go somewhere. We can hire people that don't live in a major city, as long as they have a great internet connection. A lot can be done remotely. We can strike better work-life balances. I'm hoping we keep the good and we drop, obviously, some of the bad. What we will need to still continue to work on is sort of this always on, always present, you know, back-to-back calls and whatnot. I'm hoping that doesn't stick with us as well. 

Kevin Magee: And we can sort of get back to a little more sense of, you know, separation between work life and our regular lives. But that's going to be a challenge, and we're going to have to be very cognizant of that. And we're going to have to really take action to make sure we're setting those boundaries, not just allow things to happen. Otherwise, our work will creep in and take up every moment of our time. And that's not necessarily a good thing. 

Dave Bittner: Yeah, yeah. All right, well, Kevin Magee, thanks for joining us. 

Kevin Magee: All right. Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.